Skip to main content
SpringerLink
Log in

Using the AMAN-DA method to generate security requirements: a case study in the maritime domain

  • Original Article
  • Published:
Requirements Engineering Aims and scope Submit manuscript

Abstract

Security requirements are known to be “the most difficult of requirements types” and potentially the ones causing the greatest risk if they are not correct. One approach to requirements elicitation is based on the reuse of explicit knowledge. AMAN-DA is a requirement elicitation method that reuses encapsulated knowledge in security and domain ontologies to produce security requirements specifications. The main research question addressed in this paper is to what extent is AMAN-DA able to generate domain-specific security requirements? Following a well-documented process, a case study related to the maritime domain was undertaken with the goal to demonstrate the utility and effectiveness of AMAN-DA for the elicitation and analysis of domain-specific security requirements. The usefulness of the method was also evaluated with a group of 12 experts. The paper demonstrates the elicitation of domain-specific security requirements by presenting the AMAN-DA method and its application. It describes the evaluation and reports some significant results and their implications for practice and future research, especially for the field of knowledge reuse in requirements engineering.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17
Fig. 18

Similar content being viewed by others

Notes

  1. AMAN () is the Arabic word for security. DA is for domain of application. The name was chosen to refer to security requirements engineering for domains of application.

  2. http://www.jessrules.com/.

  3. The interview instrument can be consulted on this link: https://www.dropbox.com/s/34nb8d4xo4hwuc8/Interview%20instrument.pdf?dl=0.

References

  1. Mayer N (2012) Model-based management of information system security risk. Presses universitaires de Namur

  2. Fenz S, Ekelhart A (2009) Formalizing information security knowledge. In Proceedings of the 4th international symposium on information, computer, and communications security, ASIACCS’09. ACM, New York, NY, USA, pp 183–194

  3. Haley CB, Laney R, Moffett JD, Nuseibeh B (2008) Security requirements engineering: a framework for representation and analysis. IEEE Trans Softw Eng 34(1):133–153

    Article  Google Scholar 

  4. Tondel IA, Jaatun MG, Meland PH (2008) Security requirements for the rest of us: a survey. Softw IEEE 25(1):20–27

    Article  Google Scholar 

  5. Meier JD (2006) Web application security engineering. Secur Priv IEEE 4(4):16–24

    Article  Google Scholar 

  6. Firesmith DG (2004) Specifying reusable security requirements. J Object Technol 3(1):61–75

    Article  Google Scholar 

  7. Zuccato A, Daniels N, Jampathom C (2011) Service security requirement profiles for telecom: how software engineers may tackle security. In: The sixth international conference on availability, reliability and security (ARES’11), pp 521–526. doi:10.1109/ARES.2011.81

  8. Salinesi C, Ivankina E, Angole W (2008) Using the RITA threats ontology to guide requirements elicitation: an empirical experiment in the banking sector. In: The first international workshop on managing requirements knowledge, 2008, MARK’08, pp 11–15

  9. Velasco JL, Valencia-Garcia R, Fernandez-Breis JT, Toval A (2009) Modelling reusable security requirements based on an ontology framework. J Res Pract Inf Technol 41(2):119

    Google Scholar 

  10. Souag A, Salinesi C, Comyn-Wattiau I, Mouratidis H (2013) Using security and domain ontologies for security requirements analysis. In: Computer software and applications conference workshops (COMPSACW), pp 101–107

  11. Souag A (2012) Towards a new generation of security requirements definition methodology using ontologies. In: CAiSE, Gdansk, Poland, pp1–8

  12. Runeson P, Host M, Rainer A, Regnell B (2012) Case study research in software engineering: guidelines and examples, 1st edn. Wiley, Hoboken

    Book  Google Scholar 

  13. Souag A, Mazo R, Salinesi C, Comyn-Wattiau I (2015) Reusable knowledge in security requirements engineering: a systematic mapping study. Requir Eng J 21(2):251–283

  14. Peffers K, Tuunanen T, Rothenberger MA, Chatterjee S (2007) A design science research methodology for information systems research. J Manag Inf Syst 24(3):45–77

    Article  Google Scholar 

  15. Souag A, Salinesi C, Comyn-Wattiau I (2012) Ontologies for security requirements: a literature survey and classification. In: Advanced information systems engineering workshops. Springer, Berlin, pp 61–69

  16. Souag A, Salinesi C, Mazo R, Comyn-Wattiau I (2015) A security ontology for security requirements elicitation. In: Piessens F, Caballero J, Bielova N (eds) Engineering Secure Software and Systems (ESSoS), Milan, Italy. Springer, Cham, pp 157–177

    Google Scholar 

  17. Eisenhardt KM (1989) Building theories from case study research. Acad Manag Rev 14(4):532–550

    Article  Google Scholar 

  18. Mouratidis H, Giorgini P (2007) Secure tropos: a security-oriented extension of the tropos methodology. Int J Softw Eng Knowl Eng 17(02):285–309

    Article  Google Scholar 

  19. Mouratidis H (2011) Secure software systems engineering: the secure tropos approach. JSW 6(3):331–339

    Article  Google Scholar 

  20. Secure and Dependable Software Systems. University of Brighton. Modelling method conceptualisation within OMiLab: the secure tropos approach. May 2017. http://vienna.omilab.org/repo/files/T-SecTr/2017-05-12%20RCIS%202017%20SecureTroposTutorial.pdf

  21. Bjørner D (2010) Rôle of domain engineering in software development—why current requirements engineering is flawed! In: Pnueli A, Virbitskaite I, Voronkov A (eds) Perspectives of systems informatics. Springer, Berlin, pp 2–34

    Chapter  Google Scholar 

  22. Kaiya H, Saeki M (2006) Using domain ontology as domain knowledge for requirements elicitation. In: The 14th IEEE international conference on requirements engineering, pp 189–198

  23. Rupp C, Simon M, Hocker F (2009) Requirements engineering und management. HMD Praxis der Wirtschaftsinformatik 46(3):94–103

    Article  Google Scholar 

  24. Prat N, Comyn-Wattiau I, Akoka J (2015) A taxonomy of evaluation methods for information systems artifacts. J Manag Inf Syst 32(3):229–267

    Article  Google Scholar 

  25. Checkland P, Scholes J (1990) Soft systems methodology in action. Wiley, Chichester

    Google Scholar 

  26. Venable J, Pries-Heje J, Baskerville RA (2012) Comprehensive framework for evaluation in design science research. In: Salinesi C, Peffers K, Rothenberger M, Kuechler B (eds) Proceedings of the seventh international conference on design science research in information systems and technology (DESRIST 2012). Springer, Las Vegas, pp 423–438

    Google Scholar 

  27. Gregor S, Hevner AR (2013) Positioning and presenting design science research for maximum impact. MIS Q 37(2):337–355

    Article  Google Scholar 

  28. Belmont Kate B Maritime cyber attacks: changing tides. Last modified Nov 2015. http://maritime-executive.com/blog/maritime-cyber-attacks-changing-tides

  29. Paganini P Hacking ships: maritime shipping industry at risk. Last modified March 31, 2015. http://securityaffairs.co/wordpress/35504/hacking/hacking-maritime-shipping-industry.html

  30. Fitton O, Prince D, Germond B, Lacy M (2015) The future of maritime cyber security. Lancaster University, Lancaster, p 36

    Google Scholar 

  31. Inetrnational Maritime Organization (1974) International convention for the safety of life at sea (SOLAS)

  32. International Maritim Organization (2011) ISPS code

  33. Chebli AS (2009) La piraterie maritime au début du XXième siecle: panorama, modes opératoires et solutions. Mémoire pour le DU Analyse des menaces contemporaines

  34. Davis FD (1989) Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS Q 13(3):319–340

    Article  Google Scholar 

  35. EBIOS Secrétariat Général De la Défense Nationale (2004) EBIOS-Expression des Besoins et Identification des Objectifs de Sécurité. http://www.ssi.gouv.fr/guide/ebios-2010-expression-des-besoins-et-identification-des-objectifs-de-securite/

  36. Requirements Working Group (2012) International council on systems engineering (INCOSE), guide for writing requirements, INCOSE

  37. Palomares C, Franch X, Quer C (2014) Requirements reuse and patterns: a survey. In: International working conference on requirements engineering: foundation for software quality. Springer, Cham, pp 301–308

    Chapter  Google Scholar 

  38. Farfeleder S, Moser T, Krall A, Stålhane T, Zojer H Panis C (2011) DODT: increasing requirements formalism using domain ontologies for improved embedded systems development. In: Design and diagnostics of electronic circuits and systems (DDECS), 2011 IEEE 14th international symposium on. IEEE, pp 271–274

  39. Ruhroth T, Gärtner S, Bürger J, Jürjens J, Schneider K (2014) Towards adaptation and evolution of domain-specific knowledge for maintaining secure systems. In: Product-focused software process improvement. Springer, pp 239–253

  40. Naudet Y, Mayer N, Feltus C (2016) Towards a systemic approach for information security risk management. In: Availability, reliability and security (ARES), 2016 11th international conference on. IEEE, pp 177–186

Download references

Acknowledgements

Authors would like to thank Dr. Zeinab Hmedeh for her valuable help during the development of the AMAN-DA tool and Prof. Bénédicte le Grand for her fruitful discussions and feedbacks all over the AMAN-DA project.

Author information

Authors and Affiliations

  1. CRI, Université Panthéon Sorbonne, Paris, France

    Amina Souag, Raúl Mazo & Camille Salinesi

  2. GiDITIC, Universidad Eafit, Medellin, Colombia

    Raúl Mazo

  3. CEDRIC-CNAM and ESSEC Business School, Paris, France

    Isabelle Comyn-Wattiau

Authors
  1. Amina Souag
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Raúl Mazo
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Camille Salinesi
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Isabelle Comyn-Wattiau
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Amina Souag.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Souag, A., Mazo, R., Salinesi, C. et al. Using the AMAN-DA method to generate security requirements: a case study in the maritime domain. Requirements Eng 23, 557–580 (2018). https://doi.org/10.1007/s00766-017-0279-5

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00766-017-0279-5

Keywords

Search

Navigation